systemd/.github/workflows/codeql.yml

---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: "CodeQL"

on:
  pull_request:
    branches:
      - main
      - v[0-9]+-stable
    paths:
      - '**/meson.build'
      - '.github/**/codeql*'
      - 'src/**'
      - 'test/**'
      - 'tools/**'
  push:
    branches:
      - main
      - v[0-9]+-stable

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze
    if: github.repository != 'systemd/systemd-security'
    runs-on: ubuntu-24.04
    concurrency:
      group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
      cancel-in-progress: true
    permissions:
      actions: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: ['cpp', 'python']

    steps:
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332

    - name: Initialize CodeQL
      uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql-config.yml

    - run: sudo -E .github/workflows/unit_tests.sh SETUP

    - name: Autobuild
      uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c
ci: LGPLv2+ify dependapot config and codeql action 2021-11-14 09:37:54 +00:00			`---`
			`# vi: ts=2 sw=2 et:`
			`# SPDX-License-Identifier: LGPL-2.1-or-later`
			`#`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`name: "CodeQL"`

			`on:`
ci: run codeql on PRs from Dependabot To make sure PRs like https://github.com/systemd/systemd/pull/21409 don't break anything. 2021-11-16 10:46:16 +00:00			`pull_request:`
ci: run CodeQL on every PR Since LGTM is no longer enabled for the systemd repo (as it's going to be discontinued by the EOY), let's run CodeQL on every PR instead to replace it. 2022-09-13 17:11:25 +00:00			`branches:`
ci: run CodeQL on push to main/stable branches as well Since we need results for the base branches as well in order to have something to compare against. Follow-up to cbe25d0dccdd3f2901a1e74a665c068f42dae9f5. 2022-09-13 19:18:44 +00:00			`- main`
			`- v[0-9]+-stable`
ci: limit scope for the CodeQL scan Don't run the workflow unnecessarily for non-{cpp,python} related changes. 2022-09-13 19:30:10 +00:00			`paths:`
			`- '**/meson.build'`
			`- '.github/*/codeql'`
			`- 'src/**'`
			`- 'test/**'`
			`- 'tools/**'`
ci: run CodeQL on push to main/stable branches as well Since we need results for the base branches as well in order to have something to compare against. Follow-up to cbe25d0dccdd3f2901a1e74a665c068f42dae9f5. 2022-09-13 19:18:44 +00:00			`push:`
			`branches:`
ci: run CodeQL on every PR Since LGTM is no longer enabled for the systemd repo (as it's going to be discontinued by the EOY), let's run CodeQL on every PR instead to replace it. 2022-09-13 17:11:25 +00:00			`- main`
			`- v[0-9]+-stable`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00
ci: tighten codeql and labeler even more by moving the read permissions to the top level and granting additional permissions to the specific jobs. It should help to prevent new jobs that could be added there eventually from having write access to resources they most likely would never need. 2021-11-14 09:41:42 +00:00			`permissions:`
			`contents: read`

ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`jobs:`
			`analyze:`
			`name: Analyze`
GA: do not run codeql on systemd-security Scanning is not available on private repositories 2022-11-30 10:28:34 +00:00			`if: github.repository != 'systemd/systemd-security'`
ci: Switch to Ubuntu 24.04 2024-06-07 08:55:53 +00:00			`runs-on: ubuntu-24.04`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`concurrency:`
			`group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}`
			`cancel-in-progress: true`
			`permissions:`
			`actions: read`
			`security-events: write`

			`strategy:`
			`fail-fast: false`
			`matrix:`
ci: run CodeQL on every PR Since LGTM is no longer enabled for the systemd repo (as it's going to be discontinued by the EOY), let's run CodeQL on every PR instead to replace it. 2022-09-13 17:11:25 +00:00			`language: ['cpp', 'python']`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00
			`steps:`
			`- name: Checkout repository`
build(deps): bump actions/checkout from 4.1.6 to 4.1.7 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2024-07-01 09:49:46 +00:00			`uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00
			`- name: Initialize CodeQL`
build(deps): bump github/codeql-action from 3.24.7 to 3.25.11 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.7 to 3.25.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3ab4101902695724f9365a384f86c1074d94e18c...b611370bb5703a7efb587f9d136a52ea24c5c38c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2024-07-01 11:19:36 +00:00			`uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00			`with:`
			`languages: ${{ matrix.language }}`
ci: sync the list of CodeQL queries with LGTM 2021-12-07 11:06:29 +00:00			`config-file: ./.github/codeql-config.yml`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00
			`- run: sudo -E .github/workflows/unit_tests.sh SETUP`

			`- name: Autobuild`
build(deps): bump github/codeql-action from 3.24.7 to 3.25.11 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.7 to 3.25.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3ab4101902695724f9365a384f86c1074d94e18c...b611370bb5703a7efb587f9d136a52ea24c5c38c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2024-07-01 11:19:36 +00:00			`uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c`
ci: run codeql-analysis daily https://github.com/github/codeql-action Apparently to judge from a couple of warnings I haven't seen before it's a bit different from LGTM. 2021-11-10 23:02:05 +00:00
			`- name: Perform CodeQL Analysis`
build(deps): bump github/codeql-action from 3.24.7 to 3.25.11 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.7 to 3.25.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3ab4101902695724f9365a384f86c1074d94e18c...b611370bb5703a7efb587f9d136a52ea24c5c38c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2024-07-01 11:19:36 +00:00			`uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c`